On the road to Bandol » cloud

Twitter going feudal on security

Eric Vétillard — Fri, 04 Oct 2013 14:46:07 +0000

I have recently experienced security issues with Twitter, as my account was in some way hacked. And I am not happy of the way Twitter handles this situation.

First, here are the facts that I know:

Two weeks ago, a got an e-mail from a colleague warning me that he just received a spam Direct Message from me and that my account may have been hacked
I immediately looked at Twitter, just to find that another one of my followers had received spam
I then changed my password, and started to review the authrozations I gave
My authorizations were not looking good. Over the years, I had authorized many companies, usually those building Twitter clients. Some of them sported exotic names, and had the “read, write, and direct message” privileges.
I removed privileges to all these guys, and many more, and only kept the ones that I use daily and are issued by supposedly “good” companies, like Twitter and HTC, and service that I had used recently, such as Pullquote.
At this stage, I was hoping that this minimal work was sufficient to solve this hack thing (Disclosure: I am currently recovering from eye surgery, and at that time, my vision was very bad).

Well, I am not sure that these measures were sufficient to stop hackers, but none of my friends/followers have complained about receiving direct messages after that day. And knowing the proportion of security people in this crowd, this makes me feel quite good.

But then, Twitter kicked in:

Two hours after I fixed things, I received a “Your password has been reset” e-mail from Twitter, explaining me that my account may have been hacked, and that I should change my password. That sounded about right, so I changed my password (again), as instructed.
The next day, I received the same e-mail again: “Twitter has reset your password”. That got me a bit worried, so I took a few additional steps. First, I considered the possibility of spam: instead of clicking on the password reset link directly, I copy-pasted it into the browser and hand-typed the https://twitter.com/ part, just in case. I also made a more drastic review of my authorizations, only keeping the clients on my phone and iPad.

Everything went fine for 5 days. And just as I was thinking that the issue was over, I got another “Your password has been reset” e-mail from Twitter. This time, it was just not fun, and I had recovered a bit, so I investigated a bit more.

Since I knew that some contacts had received direct messages from me, I checked my direct messages, and no spam appeared there. This is strange, since my non-spam DMs sent from authorized clients do appear there.
I checked all the links provided in the e-mails, and I have not been able to find any useful information, or any way to ask for details.
I Google’d the problem, found other people with the same problem (or worse), but no clue of a solution.

So, in the end, I know that (1) my account has been hacked about two weeks ago, (2) Twitter noticed it somehow and reset my password, (3) Twitter then found two more reasons to reset my password in a week, and (4) the only thing that I can do is hope that this is over, because I don’t have a way to get any additional information about the problem.

So, I do believe that this is an instance of what Bruce Schneier calls feudal security. The Lords of Twitter provide me some security in exchange of me using their service and reading a few ads, and as a good serf, I am not allowed to ask any question or participate to the defense.

This is a bit scary to me. I like the Twitter service, and I am a rather happy user, exchanging information on this social network. But what am I to do if the Twitter police keeps resetting my password? How do I know whether this is a mistake, or I am really getting hacked? In such a situation, I guess that the only way would be to either stop using Twitter, or get a new handle. None of these solutions look good to me.

So, I can only hope that the Lords of Twitter protect me well, that the Prince of Facebook does the same. But mixing this kind of desperate hope with my professional hope that the Internet of Things becomes a reality is not reassuring. Feudal security is not a good future.

Chip to Cloud, day 2: NFC authentication in the cloud

Eric Vétillard — Thu, 20 Sep 2012 10:15:51 +0000

This is a presentation from Gemalto’s Maurizio Divona, delivered by her colleague Virgine Galindo. It starts from cloud authentication, where strong authentication typically happens with tokens that need to be distributed by service providers.

The idea is of course to use NFC technology to simplify this, which would allow the use of strong authentication in more situations. The idea is here to have credentials in mobile phone applications, and to use it in a NFC transaction with a PC. Here, the service provider delivers a user credential in the phone, or delegates this to a TSM. Because the credential will be stored in the secure element, it is possible to emulate all kinds of hardware tokens on the mobile phone, with a similar security level.

This is an interesting way to introduce new applications in the NFC secure element, especially ifhy can make our lives easier. Of course, this assumes that there actually is an infrastructure ready for downloading content to it, and business models in place to actually get the credentials in an efficient way to the secure element. So, some way to go here.

Chip to Cloud, day 1: Now, cloud TSM

Eric Vétillard — Wed, 19 Sep 2012 13:21:19 +0000

A presentation by Thian Yee, from Cassis (a Safran Morpho company). TSMs are moving from 1-1 relationships to n-n relationships. The challenges they face are related to customer experience, which must be very simple and consistent; flexibility and scalability, as demand is very variable, depending on product launches, with unsustainable peak demand; and finally, regulatory requirements, time-to-market and cost.

Cassis is now trying to offer TaaS (TSM as a service, of course), where the TSM performs the essential processing, and also streamlines it, for instance by leaving the most sensitive data at the bank, and only sending crypto requests to the bank.

In the future, they envision many TSMs in the cloud, where collaboration will be made easier. Of course, there are things to consider to make that happen, including of course some action on regulatory bodies, who maynnot like this move to an uncontrolled cloud.

I have always thought that this kind of activity was difficult today, because cloud is about elasticity, and Hardware Security Modules (typically used by TSMs to store sensitive data) are not all that elastic. Of course, proposing to keep the sensitive data on the bank’s server is one way to address that, but it also shifts some responsibility from the TSM back to its customer, which is a bit strange.

Nevertheless, I get this feeling that a TSM cloud needs to be really secure. This would eiher mean that someone builds a TSM cloud and shares it with others (Gemalto, do you want to be the Amazon of TSMs?), or that someone builds a cloud for secure applications, possibly beyond TSM. I am sure that there are other reasons to use a secure cloud, so this may be the way. Anyway, this is interesting to follow, because leveraging the cloud’s properties will give a competitive edge to any TSM.

Chip to Cloud, day 1: Cloud security panel

Eric Vétillard — Wed, 19 Sep 2012 11:06:08 +0000

A few bits from Helmut Scherzer, from G&D:

The digital natives don’t want to escape the Web. We went from visual Web to the social Web, and they will go to the next step with the semantic web, where knowledge is well classified and organized.
big companies are very big. The CEO of Toshiba estimatee that it would take them 10 years to build the same computing power than Goole. Quite an advantage. Plus, of course, Google has a lot of your data, and their CEO told that people are waiting for Google to tell them what to do next.
Privacy is not absolute. google Street View made a privacy scandal in Germany, but as Audi introduced Street View in cars, people became interested in seeing their home on it. You can buy people beyond privacy.
There is http://pleaserobme.com/ service that is really a nice tool to show how people tell everybody that they are far away from home (no, I am not far away, and there is someone at home)
Babyboomers wanted to improve the world and own cars, Generation X want to fin themselves and have been used to computers, and digital natives have grown in computers, and this is true in all aspects of their life.
The network has become a moral instance, and pressure from social network is increasing. Network is also not forgiving, as everything gets recorded, and this does not look like a good evolution (especially if you don’t conform with the net morals).

He finished with a wish list for the future, from which my favorite item was “security without doing anything for it”.

Next speaker is Peter Hustinx, European Data Protection Supervisor, about making data protection more effective and consistent across EU. Of course, he talks about upcoming new regulations that would address some issues outlined just before.

The first one is to put the user in control, with the right to access, remove data, being forgotten, and much more.
Next thing is to make providers responsible, with mandatory assessments./li>
Effective supervision is required, with more powerful national organizations, and more cooperation between countries
Finally, Europe is only one part of setting up a Global Privacy framework, by setting up instruments for adequate protection, and of course, more cooperation, for instance, between the EC and the FTC.

Next speaker is Joerg Borchert, from Infineon and Trusted Computing Group, rapidly presenting the TCG, including the following statement:

The cloud means the mix of trust and multi-tenancy, with a root in hardware at the server level.

Final speaker is Detlef Houdeau, from Eurosmart and Infineon, talking about a whitepaper recently deployed on cloud security.

Cloud security is a combination of computing security, network security, and information security. Very different points of views.
There are many actors around cloud security, both at the European level and at the industry level, but these efforts don’t focus on the cloud issues. Thisleads to risks, such as the lackof EU guidelines.
Eurosmart recommends to work on privacy, security, and data protection

Well, this conference leaves me frustrated, as I didn’t get the same impression of consistency as in the first panel. The speakers sounded a bit like everybody is proposing solutions without listening much to the others. Also, I am not convinced that we have done the work of linking the societal aspects of the cloud, as expressed in the first talk, with clear societal objectives. Instead, we are jumping directly to technical proposals. The legal framework may make the link, by defining incentives to develop the “right” technological answers. Still, privacy by design is a nice idea, that we have to make flexible enough to match the lifestyles of our digital natives. We of course want to avoid falling into Big Brother’s arms, but we also have to make sure that we create an environment in which we can be free to share things freely. And that is a challenge.

Cloud (mis)authentication

Eric Vétillard — Tue, 07 Aug 2012 10:17:39 +0000

I just read an amazing and chilling story about cloud authentication and hacking. Some guy just lost a big chunk of his digital life, because cloud authentication is not secure, or maybe even more, because cloud authentication is not enough standardized/regulated/watched. In his case (read the story, I won’t repeat it here, and it is definitely worth it), the main flaw comes from the fact that Amazon identifies your credit cards on file by the 4 last digits, and Apple requires these very digits to authenticate an iCloud user.

What? No standard on the digits that may/may not be disclosed? I couldn’t get the facts from EMV or others (if you know, I am interested), but I noticed that although the digits printed on most of my (French) credit card receipts are the same (9 digits following the pattern xxxx xx00 0000 000x), some of my receipts include the infamous 4 last digits, and an Italian receipt includes the 8 first digits. Just with these few examples, I would say that, either there is no standard about which digits to show/hide, or the standard is not applied anyway. It is not difficult to guess that this is most likely not better on Internet, and not only at Amazon.

On this particular issue, I would blame Apple, because the information they require to grant access to an iCloud account is not sufficient (e-mail, billing address, partial credit card number). In particular, Apple allows you to forget the answers to your security questions, which doesn’t sound very good.

Mat Honan recommends in his paper to move beyond passwords and to adopt two-factor authentication. This sounds sensible, and I approve this move. However, in the present case, how useful would that be? If a cloud vendor uses two-factor authentication, then there must be a procedure for lost tokens. And this procedure better be good.

Not that it’s that complicated to design a procedure that works. We can for instance rely on existing infrastructure, like the Post Office. You can request your password to be snailmailed to you in a Certified Letter, which will require in-person delivery at your home or authentication with a government ID at the post office. This works perfectly against hackers, because they are not good at physical actions that require real presence.

However, this has some trade-offs: delay and price. Changing a password online is about free and instantaneous, whereas sending a physical letter has a cost, and it will take at least one day. I am ready to accept this delay and this cost to protect my most important cloud accounts, because I have some understanding of the risks. Not everybody does.

This actually represents an interesting role for two-factor authentication tokens: end-user education. Because they are a physical object, any user will understand that a new one needs to be sent if it is lost or compromised. And although they won’t be happy, they may/should/will associate the cost and delay associated to the token replacement to the security of their account.

Amazon does little shifts

Eric Vétillard — Wed, 30 Mar 2011 06:27:25 +0000

So, Amazon is launching an online music service, where you can store your music on their servers and then stream it to your devices. This is impressive, and as mentioned by some, we are getting closer to the mythical GDrive. Amazon’s announcement gives us a very cheap online storage: by just buying one album on Amazon’s MP3 store, you get 20GB of free storage. Even if you buy a $5 album (cheaper ones are available), that about $0,25 per gigabyte per year, which is cheap.

Amazon started with the books, as all my Kindle books are stored online, with all the information, and can be instantly retrieved anywhere, anytime. They are now moving to music, which consumes significantly more storage and bandwidth. Video is probably next. Now, will they stop there, or will they move into other types of content, like office documents?

Another interesting thing is the mobile client. We know that Amazon is a friend of Android, especially since they have launched their own Android application store. However, they have gone a bit further here, since the Amazon Cloud Player is only available for Android for the launch. No iOS version at this time, which is quite a bold statement for a product that launched only in the U.S. Of course, an iOS version must be somewhere in the works, but Amazon knows that, eventually, Apple is not going to like their competition. After all, loyal iTunes customers can now upload all their iTunes music into Amazon’s Cloud, and stream it. Maybe an indication why they can only do that on an Android device: It’s a free world.

Live from Oracle OpenWorld: Cloud and Identity

Eric Vétillard — Wed, 22 Sep 2010 20:42:49 +0000

At midday, it is time for a little break in my smart card day, and go listen to an Oracle OpenWorld session. I might as well leverage today’s professional look to blend better into OOW’s suit-dominated crowds. The funny thing is that every OOW session I have seen ended up turning into a blatent advertising session for some Oracle product. No exception on that session, which was about Identity in the cloud. Here are a few highlights of that session (before the advertising part), provided about raw:

74% of people are worried about security in the cloud, in particular because of the loss of control that comes from moving your applications into Software-as-a-Service, or even only when you are only getting to Infrastructure-as-a-Service. But, the worries come from the classic security approach with perimeter defense: your security is based on high walls keeping people out.

Cloud computing introduces a disruption, but it only means that perimeter defnse has become obsolete, and that other things are required. Security now needs to be secured by policies, not only based on the topology of the network.

For an SME, the perceived risks (from ENISA) include vendor/service lock-in (am I stuck forever with Amazon?), malicious insiders (who is accessing my data?), management interface compromise (could someone impersonate my IT manager?), or legal risks (where is my data stored?). Another point is that shared services can be more attractive to hackers, because they can be granted access to several actors.

Of course, according to the speaker, identity is the solution. His main idea is to extend the (Oracle) identity management system used in the enterprise into the cloud. For instance, for federation, SAML-based federations can be used to get into the cloud.

Privileged account management is very important. Cloud services come with “superuser” accounts that have the ability to completely manage a service. These accounts should only be accessible through a mechanism that can track, monitor and control access.

For other accounts, account lifecycle management can be an extension of the standard enterprise system.

Something very interesting is to use claims-based identity. Claims-based provisioning can get the necessary identity information through a single SAML token, without having to directly connect to the enterprise systems. More importantly, identity assertions (such as attributes and roles) can be used for authorization purposes. However, this is not necessarily accepted by all cloud providers. When supported, XACML allows enterprises to export their internal policies to the cloud service provider.

Ultimately, the enterprise can become an Identity Services Provider, leveraging the IAM services available internally to cloud applications, or to partner applications outside of the enterprise. The objective is here to promote a loose coupling between the services and the low-level authentication.

Then, we get into Oracle advertising, reminding that identity management is part of Oracle’s offer, and provides all the services mentioned previously.

Live from JavaOne: Identity for Services in the Cloud

Eric Vétillard — Wed, 22 Sep 2010 04:16:33 +0000

The next talk was about Identity for Services in the Cloud, by Jiandong Guo and Symon Chang. Their focus was to promote their favorite solution, which has been around for a while, and whose objective is to clearly separate authentication from authorization using standards. Their scheme is quite classical:

The client gets a SAML token from Security Token Service (STS) using WS-Trust protocol.
The client puts the SAML token into the message.
The server verifies SAML token and makes authentication and authorization decision.

Of course, the actual authentication occurs in the first step, between the client and the STS. After that, it is all a question of trust between the server and the STS that has generated the SAML token. With this scheme, we can avoid direct authentication between the client and the server.

Nothing really new, but I really liked their explanation, based on a parallel with the JavaOne conference badges. When you arrive to JavaOne, you first go to registration. There, you need to prove your identity by showing an officla ID to the attendant, who will then prepare the badge that grants you access to the conference. In addition, the attendant will add some ribbons that describe your specific attributes. For instance, I have the “Speaker” and “Alumni” ribbons. These ribbons are attributes that complement your basic identification, and allow you to get authorized in some circumstances. For instance, I can get into the speaker lounge, and I got an alumni jacket.

The conference badge acts like a SAML token: the basic badge shows that you have been authenticated, and the additional attributes describe some of your characteristics.

The model can be slightly enhanced by using two levels of STS. The idea is that the user will get a SAML token from a local STS, and use that token. The server will then get that token to another STS (local to the server), and get in return another SAML token, suited to its needs. With this scheme, both the client and the server only need to trust a single STS. The business of trust is entirely delegated to the two STS’s, who need to share each other. This clearly separates the trust issues from the rest.

Interesting presentation, but I still don’t feel enlightened about identity in the cloud. There is another session tomorrow on the topic, I hope that I will be thrilled.